全自动安装脚本(含安全加固)

搭建节点

cat << 'EOF' > deploy_pure_reality.sh
#!/bin/bash

# 1. 基础环境准备与检测
echo "=====> 1. 正在更新系统组件并安装必要工具..."
sudo apt-get update && sudo apt-get install -y curl openssl uuid-runtime jq

# 2. 安装官方最新内核
echo "=====> 2. 正在通过官方脚本安装..."
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install

# 3. 动态生成完全随机且唯一的密钥材料
echo "=====> 3. 正在生成专属密钥材料..."
UUID=$(uuidgen)
SHORT_ID=$(openssl rand -hex 8)

# 调用 生成 x25519 密钥对
KEYPAIR=$(xray x25519)
PRIVATE_KEY=$(echo "$KEYPAIR" | sed -n 's/PrivateKey: //p')
PUBLIC_KEY=$(echo "$KEYPAIR" | sed -n 's/Password (PublicKey): //p')

# 4. 写入服务端 config.json (纯净 Reality,拒绝本地回落陷阱)
echo "=====> 4. 正在配置 服务端 规则..."
sudo mkdir -p /usr/local/etc/xray

sudo cat << XRAY_EOF > /usr/local/etc/xray/config.json
{
    "log": {
        "loglevel": "warning"
    },
    "inbounds": [
        {
            "listen": "0.0.0.0",
            "port": 443,
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "${UUID}",
                        "flow": "xtls-rprx-vision"
                    }
                ],
                "decryption": "none"
            },
            "streamSettings": {
                "network": "tcp",
                "security": "reality",
                "realitySettings": {
                    "xver": 0,
                    "show": false,
                    "dest": "www.apple.com:443",
                    "serverNames": [
                        "www.apple.com"
                    ],
                    "privateKey": "${PRIVATE_KEY}",
                    "shortIds": [
                        "${SHORT_ID}"
                    ],
                    "fingerprint": "chrome"
                }
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom"
        }
    ]
}
XRAY_EOF

# 5. 注入高性能 BBR 与内核网络栈优化参数
echo "=====> 5. 正在强推内核油门 (开启 BBR + 优化网络栈缓冲)..."
sudo cat << BBR_EOF >> /etc/sysctl.conf

# 自建节点满血网络优化
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.tcp_mtu_probing=1
net.core.somaxconn=65535
net.ipv4.tcp_max_syn_backlog=16384
net.ipv4.tcp_fin_timeout=15
net.ipv4.tcp_tw_reuse=1
BBR_EOF

# 让内核参数立即生效
sudo sysctl -p

# 6. 重启服务
echo "=====> 6. 正在启动服务..."
sudo systemctl daemon-reload
sudo systemctl restart xray
sudo systemctl enable xray

# 7. 生成供本地直接复制粘贴的 proxies 配置
echo "===================================================="
echo "🎉 恭喜!服务端节点已部署完毕并进入满血状态!"
echo "===================================================="
echo "👇 请直接复制以下内容替换你本地的 proxies 项:"
echo ""
echo "proxies:"
echo "  - name: \"自建满血节点\""
echo "    type: vless"
echo "    server: $(curl -s ifconfig.me)"
echo "    port: 443"
echo "    uuid: ${UUID}"
echo "    network: tcp"
echo "    udp: true"
echo "    tls: true"
echo "    flow: xtls-rprx-vision"
echo "    servername: www.apple.com"
echo "    reality-opts:"
echo "      public-key: ${PUBLIC_KEY}"
echo "      short-id: ${SHORT_ID}"
echo "    client-fingerprint: chrome"
echo "===================================================="

EOF

赋予执行权限并运行脚本

chmod +x deploy_pure_reality.sh
sudo ./deploy_pure_reality.sh

SSH端口修改

安全起见更改ssh端口

sudo echo "Port 45563" >> /etc/ssh/sshd_config

更改Socket文件配置

vim /etc/systemd/system/ssh.service.requires/ssh.socket

修改ListenStream=0.0.0.0:45563

重启服务

sudo systemctl restart sshd.service

更改ssh密钥访问,首先推公钥ssh-copy-id user@remote_host

# /etc/ssh/sshd_config
PasswordAuthentication no
KbdInteractiveAuthentication no
PermitRootLogin prohibit-password

安全加固(节点部署后必做)

1. 安装 fail2ban — SSH爆破防御

# 安装
sudo apt install -y fail2ban

# 配置(修改port为你的实际SSH端口)
sudo cat > /etc/fail2ban/jail.local << 'CONF'
[DEFAULT]
bantime = 3600        # 封禁时长1小时
findtime = 600        # 检测窗口10分钟
maxretry = 5          # 5次失败封禁
ignoreip = 127.0.0.1/8 ::1

[sshd]
enabled = true
port = 45563          # 改为你的SSH端口
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 5
bantime = 3600
findtime = 600
CONF

# 重启生效
sudo systemctl restart fail2ban
sudo systemctl enable fail2ban

# 验证
sudo fail2ban-client status sshd

2. 安装自动安全更新

sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

# 验证
sudo systemctl status unattended-upgrades

3. 内核安全参数加固

sudo cat > /etc/sysctl.d/99-security.conf << 'SYSCTL'
# ---- 网络层安全防护 ----
net.ipv4.tcp_syncookies=1                       # SYN Flood防护
net.ipv4.conf.all.rp_filter=1                   # IP源地址伪造防护
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.accept_source_route=0         # 禁用源路由
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.log_martians=1                # 记录异常IP包
net.ipv4.conf.default.log_martians=1
net.ipv4.icmp_echo_ignore_broadcasts=1          # Smurf攻击防护
net.ipv4.icmp_ignore_bogus_error_responses=1    # 忽略伪造ICMP错误

# ---- ICMP重定向防护 ----
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0

# ---- 地址随机化 ----
kernel.randomize_va_space=2                     # 全量ASLR
SYSCTL

# 立即生效
sudo sysctl -p /etc/sysctl.d/99-security.conf

4. 防火墙配置(UFW)

# 启用UFW
sudo ufw enable

# 放行必要端口
sudo ufw allow 45563/tcp    # SSH(改为你的端口)
sudo ufw allow 443/tcp      # Xray

# 默认入站拒绝,出站允许
sudo ufw default deny incoming
sudo ufw default allow outgoing

# 验证
sudo ufw status verbose

写在最后

节点部署容易,维护才是关键。以上安全加固步骤请在每台服务器部署完毕后立即执行,可以有效抵御自动化扫描和SSH爆破攻击。

建议在日常运维中:

  • 定期检查 xray 运行状态:systemctl status xray
  • 查看 fail2ban 封禁记录:fail2ban-client status sshd
  • 检查安全更新:apt list --upgradable 2>/dev/null | grep security
  • 审计登录记录:lastgrep "Failed password" /var/log/auth.log

评论 (0)

暂无评论,快来抢沙发吧!

撰写评论

验证码